Google Chrome — Krebs on Security

Posts Tagged: Google Chrome

Adware Stages Comeback Via Browser Extensions

The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions designed to run across multiple Web browsers and operating systems.

An ad served by IWantThis! browser extension. Source: Wikimedia

In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware,” reads a blog post co-written by Philippe Beaudette, director of community advocacy at the Wikimedia Foundation.

The blog post named one example of a browser extension called “IWantThis!,” which is essentially spyware masquerading as adware. The description at the IWantThis! Web site makes it sound like a harmless plugin that occasionally overlays ads on third-party Web sites and helps users share product or online shopping wish lists with others. As I was researching this extension, I came across this helpful description of it at the DeleteMalware Blog, which points to the broad privacy policy that ships with this extension:

Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us. Continue reading →

A Little Sunshine / The Coming Storm — 35 Comments
17
May 12

Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox. The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview. “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites. Continue reading →

Latest Warnings / Security Tools / Time to Patch — 23 Comments
7
Feb 12

Forcing Flash to Play in the Sandbox

Adobe has released a public beta version of its Flash Player software for Firefox that forces the program to run in a heightened security mode or “sandbox” designed to block attacks that target vulnerabilities in the software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. The same technology has been built into the latest versions of Adobe Reader X, and it has been enabled for some time in Google Chrome, which contains its own integrated version of Flash. But this is the first time sandboxing has been offered in a public version of Flash for Firefox.

Flash is a big target of attackers partly because it is a powerful program with a huge install base; vulnerability management firm Secunia estimates that some version of Flash is installed in 96 percent of the world’s Microsoft PCs. Windows users can further harden their systems against such attacks by swapping out their current version of Flash for this beta. Continue reading →

A Little Sunshine / Latest Warnings / The Coming Storm / Web Fraud 2.0 — 7 Comments
23
Jan 12

‘Citadel’ Trojan Touts Trouble-Ticket System

Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.

A screenshot of the Citadel botnet panel.

The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients.

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers,” Citadel’s developers claim in an online posting. “One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

In the following excerpt, taken from a full description of Citadel’s innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.

“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:

- Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.

-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.

-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.

-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.

- You can see all stages of module development, if it is approved other members. We update the status and time to completion.

Continue reading →

Latest Warnings / Time to Patch — 21 Comments
9
Nov 11

Adobe, Apple, Microsoft & Mozilla Issue Critical Patches

Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7. Continue reading →

Time to Patch — 43 Comments
14
Jun 11

Adobe Ships Security Patches, Auto-Update Feature

Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.

No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.

Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

Continue reading →

Latest Warnings / The Coming Storm — 48 Comments
9
May 11

Security Group Claims to Have Subverted Google Chrome’s Sandbox

A French security research firm boasted today that it has discovered a two-step process for defeating Google Chrome‘s sandbox, the security technology designed to protect the browser from being compromised by previously unknown security flaws. Experts say the discovery, if true, marks the first time hackers have figured out a way around the vaunted security layer, and almost certainly will encourage attackers to devise similar methods of subverting this technology in Chrome and other widely used software.

In an advisory released today, VUPEN Security said: “We are (un)happy to announce that we have official Pwnd Google Chrome and its sandbox.” The post includes a video showing the exploitation of what VUPEN claims is a previously undocumented security hole in Chrome v.11.0.696.65 on Microsoft Windows 7 SP1 (x64).

“While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP,” the advisory notes. ASLR and DEP are two of the key security defenses built into Windows Vista and Windows 7

Google spokesman Jay Nancarrow said the company was unable to verify VUPEN’s claims, because VUPEN hadn’t shared any information about their findings. “Should any modifications become necessary, users will be automatically updated to the latest version of Chrome,” Nancarrow wrote in an email to KrebsOnSecurity.

Chaouki Bekar, VUPEN’s CEO and head of research, confirmed that the company had no plans to share any details about their findings with Google, nor was it aware of any steps users could take to mitigate the threat from this attack.

“No, we did not alert Google as we only share our vulnerability research with our Government customers for defensive and offensive security,” Bekar wrote in response to an emailed request for comment. “Unfortunately, we are not aware of any mitigation to protect against these vulnerabilities.”

Jeremiah Grossman, a Web application security expert and chief technology officer for the security consultancy WhiteHat Security, called the news “quite serious.”

“We have governments competing for 0days, and we’re not even sure who the buyers are, maybe the US government didn’t get the 0day,” Grossman said “One way or the other, consumers are unprotected from an 0day we can’t really verify but probably exists. I think that’s quite serious.”

Continue reading →

Other / Time to Patch — 15 Comments
20
Jul 10

Adobe: ‘Sandbox’ Will Stave Off Reader Attacks

Adobe Systems Inc. said today the next release of its free PDF Reader application will include new “sandbox” technology aimed at blocking the exploitation of previously unidentified security holes in its software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

“The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

Continue reading →

Time to Patch — 16 Comments
26
May 10

Mozilla Plugin Check Now Does Windows (Sort of)

Mozilla‘s Plugin Check Web site, which inspects Firefox browsers for outdated and insecure plugins, now checks other browsers — including Apple‘s Safari, Google‘s Chrome, Opera, and (to a far lesser extent) even Internet Explorer.

The Plugin Check site looks for a range of outdated plugins, and now works on Safari 4, Google Chrome 4 and up, Mozilla Firefox 3.0 and up, and Opera 10.5. This is a nice idea, and it works to some degree, but the page couldn’t locate version information for about seven of ten plugins I currently have in Firefox.

Similarly it detected version information for three out of nine of my plugins on my Macbook Pro’s Safari installation, although it helpfully informed me of an outdated Flash player on my Mac (doh!). It also detected version numbers for just two of 11 plugins apparently installed in my Google Chrome browser.

Mozilla’s Plugin Check also partially supports IE7 and IE8, although when I visited it with IE, I received an interesting result. I went there with a virgin install of IE8 that didn’t have any third party plugins installed. But rather than tell me I was secure because it could detect no plugins at all, Mozilla’s site actually prompted me to install Adobe’s Flash Player (screen shot below), one of the most-attacked browser plugins of all.

It would be great to see this technology start to detect more plugins. In the meantime, if you’re running Windows and want help keeping up to date with the latest patches, I’d recommend Secunia‘s Personal Software Inspector, a program that periodically reminds you about insecure programs and plugins, and even includes links to download the latest patches.

Krebs on Security

In-depth security news and investigation

Posts Tagged: Google Chrome